About the authors: Manjri Singh and Anupriya Nair are final year students at NALSAR University of Law, India.
Photo available here.
Introduction
Apple released its iOS 14.5 software update to enhance consumer privacy by presenting users with the App Track Transparency prompt. The prompt gave users the explicit option to allow apps to track their behavior. Although Apple had already given users the option to deny apps from tracking, this was an “opt-out” option and required consumers to seek it out. Apple’s privacy update raises new privacy and competition questions that will inevitably capture the attention of regulatory and enforcement bodies across the world. Regardless of what the outcome is, the fate of Apple’s update will set the standards for privacy and competition compliance across the industry.
The App Track Transparency Prompt
Apple explains that the new prompt offers consumers greater freedom to choose their level of privacy for many types of data. Apps often collect more data than necessary to create digital profiles that they sell to third-parties, which then use this data to target advertisements and predict users’ decisions. The prompt impacts this excess data, but it does not affect the data that apps collect through users’ interaction with the apps themselves.
This development is part of Apple’s broader move towards improving consumer privacy, which was underscored through the addition of a privacy information section on App Store products. However, Apple’s own apps and data collection fall outside the purview of this update.
Impact on the Consent Threshold
Until the release of iOS 14.5, there was a system that automatically collected Identifiers for Advertisers (IDFAs) from user devices. Often, this collection was not explicitly mentioned to the user at the time of collection. Users could only circumvent this system by manually opting out of IDFAs via a reset option in the settings menu. These concealed opt-out options robbed users of the opportunity to take action to prevent apps from using their data, making the system inherently problematic.
In the United Kingdom (UK), the Information Commissioner’s Office has interpreted “consent” under the General Data Protection Regulation (GDPR) to mean opt-in consent, requiring deliberate and clear affirmative action. Therefore, opt-out consent cannot meet the GDPR’s standard of mandatory deliberate and affirmative action. The failure to opt-out of IDFAs, for example, is insufficient to obtain legitimate and deliberate consent.
The iOS 14.5 passes the consent threshold for IDFAs. Users can now choose to not opt-in when they first launch an app, rather than hunting through the settings menu. This requirement is not only limited to IDFAs, but also includes opt-in consent for registered email addresses. By requiring companies to obtain users’ express permission through a prompt, this update advances two core values of privacy law: giving users adequate notice and choice.
Interaction of Privacy and Competition Law
Apple’s pro-privacy efforts may violate competition laws, which regulate the unfair exercise of market power. In the European Union (EU), which has some of the most robust competition regulations and enforcement mechanisms, competition policy is rooted in Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU). Apple’s update may violate Article 102, which prohibits companies from abusing market power. Additionally, the update may constitute anticompetitive conduct under a leveraging theory.
Abuse of Market Power
Under Article 102, abuse includes imposing unfair trading conditions and margin squeezing. However, the European Court of Justice has held that abusive conduct may be reasoned through an objective justification.
Apple’s privacy update is unlikely to fall under the category of unfair trading conditions because Apple has an objective privacy justification, and because this privacy enhancement benefits consumers. This is reflected by the French Competition Authority’s refusal to interfere with the iOS 14.5 update. After investigating the matter, the Competition Authority reasoned that a dominant player was free to set the rules for accessing its services as long as the rules did not violate applicable laws. The Authority determined that Apple’s new rules were not abusive simply because they negatively impacted other companies, and it recognized that the new rules would strengthen users’ ability to protect their privacy.
There is a stronger argument that Apple’s preferential treatment of its own apps is anticompetitive. This preferential treatment may fall within the margin squeeze theory of harm because it raises compliance costs for rivals in the downstream app market. This harm occurs when a dominant upstream firm, competing in a downstream market, provides a key input to its downstream rivals at prices and terms that foreclose competition.
2. Leveraging Market Power in the App Download Platform Market
While not enumerated in the TFEU, a firm may also be liable for leveraging its dominant position in one market to gain an advantage in another market. Apple wields dominance in the app download platform market through its App Store. Using this dominance, Apple gives preference to its own apps by exempting them from its new privacy requirements. Therefore, only Apple’s rivals in the downstream app market suffer increased compliance costs.
Although there is limited jurisprudence on leveraging theories, a leveraging theory argument prevailed in the Google Search (Shopping) case. The Commission held that Google abused its dominant position in the online general search market by giving its own shopping service a prominent position in search results relative to its competitors’ services, diverting traffic to its own service. The EU is looking to clamp down on leveraging conduct through legislation. The proposed Digital Markets Act specifically disapproves of such self-preferencing conduct. Apple’s preferential treatment towards its own apps fits in the “Google Search” framework, and the growing attention on leveraging opens the door for enforcement agencies to intervene under a leveraging theory.
3. Limiting Consumer Choice Is Anticompetitive
Given Apple’s dominance in the app download platform market, its data collection consent policies may be inherently problematic if they restrict consumer choice. Apple’s new privacy protections give users limited options. Users may either accept the privacy policy or decline. In a similar vein, Facebook’s data collection policies have been investigated by the German competition authority. The authority found that Facebook abused its dominance in the social network market by subjecting its users to a take-it or leave-it policy that restricted consumers’ consent options. By analyzing consumers’ consent options as a non-price parameter for anticompetitive conduct, rather than as a privacy right, the authority brought the issue of consumer consent within the reach of competition laws.
The Future of the Advertising Technology Ecosystem
Apple’s opt-in requirement will help shape the way in which privacy protections function within the larger scope of the advertising technology industry. Other leading companies will be forced to follow suit and keep up with the higher standards established by Apple’s pro-privacy efforts. Companies that have built business models which rely heavily on the collection of IDFAs without an opt-in option will need to reinvent their data strategies to ensure compliance with the GDPR and the latest updates of their competitors in the realm of privacy protection measures.
Changes in iOS are likely to lead to changes in Android, and in companies operating out of the operating system sphere as a whole. When Apple proposed the concept of IDFAs, Google developed its own system of identifiers called Google Advertising ID (AAID). Further, Google followed suit when Apple removed third-party cookies from Safari by implementing the same change in Chrome using a privacy sandbox .
Similarly, Google will likelyenable an opt-in option for its AAIDs to keep up with the changing ad tech ecosystem and ensurecomparative compliance with the GDPR guidelines. The likelihood of these outcomes is contingent on the decisions of competition law authorities and their stances on privacy and competition. Accordingly, if competition authorities penalize Apple, they may crystallize competition laws and indirectly improve compliance among other big tech companies. Given the acute interest of competition authorities in promoting competition, checking excesses, and scrutinizing spill-over effects in the ad-tech space, greater compliance grows increasingly likely.